How to spot and expose fraudulent North Korean IT workers
North Koreans have infiltrated countless U.S. companies as remote IT workers. That means your top developer could also work for one of the world's most notorious dictators.
A seasoned cyberthreat expert has unconventional advice for hiring managers interviewing remote IT workers: Gauge candidates' willingness to insult the authoritarian supreme leader of North Korea.
"My favorite question is something to the effect of, 'How fat is Kim Jong Un?'" said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, during a panel discussion at RSAC Conference 2025. He added that he's seen this question cause "quite a few" candidates to hang up on their interviewers. The reason: They were North Korean nationals posing as Americans, with the aim of evading sanctions and earning money for the Democratic People's Republic of Korea (DPRK). "It's not worth the heat for them to say something negative about the geo leader there," Meyers said.
According to the U.S. Department of the Treasury, thousands of skilled North Korean IT workers use stolen identities to hold high-paying remote jobs at Western companies, illegally making money for Kim Jong Un's regime. Experts estimate the DPRK receives hundreds of millions of dollars each year from the fake IT worker scheme, directly funding the nation's illegal weapons program. During the RSAC panel, security experts from the FBI and the private sector briefed attendees on the ongoing threat, as well as strategies organizations can use to avoid hiring North Korean operatives and uncover any already in their ranks.
Generally, DPRK remote workers target software engineer, front-end developer and full-stack developer jobs, said Elizabeth Pelker, special agent at the FBI. North Korean nationals have successfully landed remote employment across Fortune 500 companies, including a high-end retail chain, a major American car manufacturer, a top Silicon Valley technology company, a top-five national media company and an aerospace and defense manufacturer, according to the U.S. Department of Justice.
Smaller teams have also found themselves in the crosshairs. Greg Schloemer, senior threat intelligence analyst at Microsoft, said he has seen organizations with just five employees unwittingly onboard remote North Korean IT workers. "There may be some misconception that larger organizations are particularly vulnerable, but any organization is a target," he said.
How North Korean IT workers infiltrate American companies
For North Korean IT workers, the job search starts as it does for most -- on social media. Teams of operatives, often living in Russia or China, use stolen identities and generative AI (GenAI) to create fake LinkedIn profiles. They then look for employment opportunities across platforms such as LinkedIn, Indeed, Craigslist and third-party recruitment sites.
This is a highly sophisticated network, and the people who are going through the interviews are highly trained. It's very, very difficult to identify who they are.
Chris HorneSenior director of trust and safety intelligence and investigations, Upwork
Occasionally, a candidate might slip during an interview -- for example, allowing the hiring manager to glimpse a language translation application while sharing a screen. But don't count on it, warned Chris Horne, senior director of trust and safety intelligence and investigations at freelance hiring platform Upwork.
"This is a highly sophisticated network, and the people who are going through the interviews are highly trained," Horne said. "It's very, very difficult to identify who they are." Improvements in GenAI and real-time deepfakes are quickly making a bad problem even worse, he added.
Once a DPRK worker lands a job, he typically asks the new employer to send his corporate gear to an address other than the one on his application, often citing a family emergency or other plausible reason for the location change. The secondary address houses a laptop farm, where a U.S. resident working for the DPRK maintains and manages a fleet of devices, along with tech that gives the North Korean IT workers remote access.
Meyers said the counter-adversary team at CrowdStrike initially discovered DPRK activity in customers' environments in 2024, when they noticed clusters of KVMs appearing on CrowdStrike's Falcon XDR platform. A KVM -- which stands for keyboard, video (monitor) and mouse -- enables a user to control multiple computers from a single console. CrowdStrike shared the information with the FBI and soon confirmed DPRK-related malicious insider activity at more than 150 customer organizations, with data theft occurring in half of those cases.
"The customer notifications were really big -- like, 'You have a senior developer in your environment who is a malicious insider,'" Meyers said. "It turned out, in talking to the victims, every single one was a true positive."
Since then, CrowdStrike has continued to find malicious insider activity in customers' environments. During the three months leading up to the RSAC panel, Meyers said his team uncovered more than 90 North Korean IT workers masquerading as U.S. nationals.
If they can maintain their cover, DPRK operatives might continue to work at Western companies for many months, Meyers said. Upon termination, however, they often leave behind malware or take exfiltrated data with them.
"This threat is very adaptable," said the FBI's Pelker. "Even if they know they're going to get fired at some point, they have an exit strategy and a plan for further monetary gain."
Pelker said she has seen cases where data exfiltration has happened slowly and steadily over the course of long-term employment. "Think worst-case scenario -- proprietary AI code being exfiltrated," she said. "And then when they are fired, we're seeing that data extortion happening."
8 red flags that suggest a DPRK-related insider threat
The panelists urged employers to stay alert for the following red flags, which could indicate malicious insider activity by North Korean IT workers:
Last-minute changes to delivery addresses. If a new hire asks to receive corporate equipment at an address other than the one on official employment paperwork, that location could be a laptop farm.
Meeting attendance issues. A DPRK operative might frequently make excuses for missing meetings, especially with little notice.
Background noise during calls. Because North Korean IT workers operate in teams, it might sound like an employee is working in a call center rather than a home office.
Lagging internet connections. Employees secretly working outside the U.S. might have unusually slow internet connectivity.
Use of VPNs. North Korean remote workers sometimes use VPN services to mask their geolocations.
Use of KVM or remote monitoring and management tools. At best, unsanctioned use of KVMs and RMM tools exposes the organization to additional threat vectors. At worst, it indicates illicit activity.
Performance issues. DPRK workers might have job performance issues -- if, for example, they are juggling multiple roles simultaneously to maximize revenue for the regime. Pelker cautioned, however, that the FBI has also seen cases where North Korean employees were the highest-performing members on their teams.
Unexpected language settings on devices. Multilingual settings -- for example, Korean on the device of a user who claims to speak only English and Chinese -- should raise alarms.
How to mitigate the DPRK remote worker threat
North Korean cyber operatives constantly adapt their strategies to outmaneuver defenders, the FBI and private sector security experts cautioned, making the remote worker threat difficult to combat. Organizations need to stay nimble in their detection and response efforts. Experts advised starting with the following mitigation strategies:
Monitor skills tests. Pelker suggested requiring candidates to complete any technical skills tests on the corporate IT environment. Look for oddities in applicants' digital activity, such as unexpected IP addresses, multiple language settings and excessive screen switching.
Seek visibility into recruitment processes. According to Microsoft's Schloemer, third-party staffing firms represent one of the largest attack vectors for North Korean IT workers seeking remote employment. Organizations that work with external recruiters should share their concerns about malicious insiders and ask for insight into how third-party firms find and vet talent.
Educate and train staff. Every employee -- but especially frontline hiring managers, HR personnel and cyberthreat investigators -- needs to understand the DPRK threat, what to look for and how to report concerns. Signs of malicious insider activity are rarely obvious and often seem insignificant in isolation, Upwork's Horne added. As such, employee awareness, intuition and communication are key in helping organizations connect the dots.
Executive- and board-level buy-in. Security leaders should educate senior executives and corporate directors on the risks undercover North Korean IT workers pose across Western enterprises."Make sure they understand that this is not a company-specific issue," Horne said. "It is absolutely an industry problem for us all to tackle."
Internal and external partnerships. The insidious and sophisticated nature of North Korean cyberoperations makes cross-team cooperation critical. "Especially in large organizations, you may have small pockets of people working this threat from different angles," Schloemer said. Ensure they share information, insights and tradecraft to maximize efficiency and efficacy. External partnerships among both private sector organizations and federal law enforcement are also key.
Incident response planning. Include malicious insider contingencies in the organization's incident response plans. Have processes in place to assess what data and systems malicious insiders accessed and any code they might have written. For law enforcement support, contact a local FBI field office and ask for the bureau's DPRK IT worker threat experts.
Future of the North Korean IT worker threat
In the coming months and years, expect to see the North Korean remote worker threat continue to adapt and evolve, experts said. As awareness of the problem grows among American businesses, groups have already started targeting new regions, such as Europe and Australia.
Schloemer's team at Microsoft tracks all malicious cyberactivity out of the DPRK, of which the remote worker scam is just one part. Other North Korean cybercrime operations aim to steal cryptocurrency, intellectual property and defense secrets. Attack methods vary; in some cases, threat actors target job seekers rather than employers -- the inverse of the remote worker scheme. Schloemer said he worries about how relationships between distinct North Korean threat groups might evolve and how their interests could eventually converge.
"We need to get ahead of it with robust detection and response recommendations now," he said. "We don't want to end up in a future scenario where IT worker employment enables the theft of really sensitive and critical national security information."
Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity site.
